From 8cf75e77dad43b16c1683a34c360587e4ea8156b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nils=20M=C3=BCller?= Date: Mon, 5 Aug 2024 23:13:33 +0200 Subject: [PATCH] feat(minio): setup on kube-nas #2007 --- .../apps/minio-system/kustomization.yaml | 7 + .../minio-system/minio/app/helm-release.yaml | 132 ++++++++++++++++++ .../minio-system/minio/app/kustomization.yaml | 7 + .../minio-system/minio/app/secrets.sops.yaml | 28 ++++ .../apps/minio-system/minio/flux-sync.yaml | 21 +++ .../kube-nas/apps/minio-system/namespace.yaml | 7 + 6 files changed, 202 insertions(+) create mode 100644 kubernetes/kube-nas/apps/minio-system/kustomization.yaml create mode 100644 kubernetes/kube-nas/apps/minio-system/minio/app/helm-release.yaml create mode 100644 kubernetes/kube-nas/apps/minio-system/minio/app/kustomization.yaml create mode 100644 kubernetes/kube-nas/apps/minio-system/minio/app/secrets.sops.yaml create mode 100644 kubernetes/kube-nas/apps/minio-system/minio/flux-sync.yaml create mode 100644 kubernetes/kube-nas/apps/minio-system/namespace.yaml diff --git a/kubernetes/kube-nas/apps/minio-system/kustomization.yaml b/kubernetes/kube-nas/apps/minio-system/kustomization.yaml new file mode 100644 index 000000000..e7b1398ce --- /dev/null +++ b/kubernetes/kube-nas/apps/minio-system/kustomization.yaml @@ -0,0 +1,7 @@ +--- +# yaml-language-server: $schema=https://json.schemastore.org/kustomization +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ./namespace.yaml + - ./minio/flux-sync.yaml diff --git a/kubernetes/kube-nas/apps/minio-system/minio/app/helm-release.yaml b/kubernetes/kube-nas/apps/minio-system/minio/app/helm-release.yaml new file mode 100644 index 000000000..e98428330 --- /dev/null +++ b/kubernetes/kube-nas/apps/minio-system/minio/app/helm-release.yaml @@ -0,0 +1,132 @@ +--- +# yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/main/charts/other/app-template/schemas/helmrelease-helm-v2.schema.json +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: minio +spec: + interval: 30m + chart: + spec: + chart: app-template + version: 3.3.2 + sourceRef: + kind: HelmRepository + name: bjw-s-charts + namespace: flux-system + install: + remediation: + retries: 3 + upgrade: + cleanupOnFail: true + remediation: + strategy: rollback + retries: 3 + values: + controllers: + minio: + annotations: + reloader.stakater.com/auto: "true" + containers: + app: + image: + repository: quay.io/minio/minio + tag: RELEASE.2024-07-31T05-46-26Z@sha256:9eea83a4e1425067e7b768397756efad19d36fc1c710808b8e1072236e8806c7 + env: + MINIO_API_CORS_ALLOW_ORIGIN: https://minio.tyriis.dev,https://s3.tyriis.dev + MINIO_BROWSER_REDIRECT_URL: https://minio.tyriis.dev + MINIO_PROMETHEUS_JOB_ID: minio + MINIO_PROMETHEUS_URL: https://prometheus.techtales.io + MINIO_PROMETHEUS_AUTH_TYPE: public + MINIO_SERVER_URL: https://s3.tyriis.dev + MINIO_STORAGE_CLASS_RRS: EC:0 + MINIO_STORAGE_CLASS_STANDARD: EC:0 + MINIO_UPDATE: "off" + envFrom: + - secretRef: + name: minio-env + args: ["server", "/data", "--console-address", ":9001"] + probes: + liveness: &probes + enabled: true + custom: true + spec: + httpGet: + path: /minio/health/live + port: 9000 + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 10 + failureThreshold: 6 + readiness: *probes + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + capabilities: { drop: ["ALL"] } + resources: + requests: + cpu: 100m + limits: + memory: 2Gi + defaultPodOptions: + securityContext: + runAsNonRoot: true + runAsUser: 568 + runAsGroup: 568 + fsGroup: 568 + fsGroupChangePolicy: OnRootMismatch + supplementalGroups: [10000] + seccompProfile: { type: RuntimeDefault } + service: + app: + controller: minio + ports: + http: + port: 9001 + s3: + port: 9000 + # serviceMonitor: + # app: + # serviceName: minio + # endpoints: + # - port: s3 + # scheme: http + # path: /minio/v2/metrics/cluster + # interval: 1m + # scrapeTimeout: 10s + ingress: + app: + annotations: + cert-manager.io/cluster-issuer: letsencrypt-production + kubernetes.io/tls-acme: "true" + nginx.ingress.kubernetes.io/force-ssl-redirect: "true" + nginx.ingress.kubernetes.io/ssl-redirect: "true" + className: internal + hosts: + - host: &host1 "{{ .Release.Name }}.tyriis.dev" + paths: + - path: / + service: + identifier: app + port: http + - host: &host2 s3.tyriis.dev + paths: + - path: / + service: + identifier: app + port: s3 + tls: + - hosts: + - *host1 + - *host2 + secretName: "{{ .Release.Name }}-tls" + persistence: + data: + type: persistentVolumeClaim + accessMode: ReadWriteOnce + size: 100Gi + storageClass: openebs-hostpath + advancedMounts: + syncthing: + app: + - path: /data diff --git a/kubernetes/kube-nas/apps/minio-system/minio/app/kustomization.yaml b/kubernetes/kube-nas/apps/minio-system/minio/app/kustomization.yaml new file mode 100644 index 000000000..9dcee7686 --- /dev/null +++ b/kubernetes/kube-nas/apps/minio-system/minio/app/kustomization.yaml @@ -0,0 +1,7 @@ +--- +# yaml-language-server: $schema=https://json.schemastore.org/kustomization +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ./secrets.sops.yaml + - ./helm-release.yaml diff --git a/kubernetes/kube-nas/apps/minio-system/minio/app/secrets.sops.yaml b/kubernetes/kube-nas/apps/minio-system/minio/app/secrets.sops.yaml new file mode 100644 index 000000000..7373e59ae --- /dev/null +++ b/kubernetes/kube-nas/apps/minio-system/minio/app/secrets.sops.yaml @@ -0,0 +1,28 @@ +# yamllint disable +apiVersion: v1 +kind: Secret +metadata: + name: minio-env +stringData: + MINIO_ROOT_USER: ENC[AES256_GCM,data:v7psJAGwot7+hg==,iv:hP6f0P0F5eDuNnixg622ZdB+jeoEuQkWtaIHvMMYtGA=,tag:r7jrBItaB0MT+JVapXcvTA==,type:str] + MINIO_ROOT_PASSWORD: ENC[AES256_GCM,data:zsuCm9SGevz7UA==,iv:9p4F0PGRtL7UGR5LfCrMO2+si5gTyGq9KwawRwk4IX8=,tag:otnMUDLHWEAtD/31CaLtRg==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1clg0rd6ca86h3lnfnjyqsc9stgr0cnyp3l5uswtusxppjq9h2vcsaqckec + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkUzRWUkxIMnA1Nm5MSFVP + anliQ3F3R1VyWVVNak5mUm5ST3dsSnFRY1hrCkpONU50NGsyUWlhNkYyL3lqN1h5 + VXdSZ0g2NnFsS0loMERMWmZIbGdob28KLS0tIE83RHBlY2FYd0F0YklBRThQd2tl + TVM4dVYwY3ExYkIxSmJoK3V5VEJNQ2MKs9lDocwW5M7BmdvfvOABbjuffo16CJok + djKyN7RS86g3cstMR5X4uKoC+UFS6F4+xkNVtJoc6mZS71ZN4RU2/w== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-08-05T21:09:48Z" + mac: ENC[AES256_GCM,data:8tP8lBAril8ZJluPI4a+Eim65ZF6v0+c1XI0e1vsStZ4SdLTEeY933fHmurRO9qD9H9JDopQdxfKfnxbNMkldwz+ycqOgWyWIeh3s/iXbulaG48e9CnPW6mPU+soLo8cTHxpWpEFYnC23Vui0vRt/Mzt+BgbpeRQGIQJDSSIsi8=,iv:O5G5Hnqqa7931GuyO60z1YJ2ncioBx6qNfzIBacn/98=,tag:T8sekJ8jXgQmmuMscSQqLQ==,type:str] + pgp: [] + encrypted_regex: ^(data|stringData)$ + version: 3.8.1 diff --git a/kubernetes/kube-nas/apps/minio-system/minio/flux-sync.yaml b/kubernetes/kube-nas/apps/minio-system/minio/flux-sync.yaml new file mode 100644 index 000000000..c10339377 --- /dev/null +++ b/kubernetes/kube-nas/apps/minio-system/minio/flux-sync.yaml @@ -0,0 +1,21 @@ +--- +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: &app minio + namespace: flux-system +spec: + targetNamespace: minio-system + commonMetadata: + labels: + app.kubernetes.io/name: *app + path: ./kubernetes/kube-nas/apps/minio-system/minio/app + prune: true + sourceRef: + kind: GitRepository + name: home-kubernetes + wait: false + interval: 30m + retryInterval: 1m + timeout: 5m diff --git a/kubernetes/kube-nas/apps/minio-system/namespace.yaml b/kubernetes/kube-nas/apps/minio-system/namespace.yaml new file mode 100644 index 000000000..60a2a0021 --- /dev/null +++ b/kubernetes/kube-nas/apps/minio-system/namespace.yaml @@ -0,0 +1,7 @@ +--- +apiVersion: v1 +kind: Namespace +metadata: + name: minio-system + labels: + kustomize.toolkit.fluxcd.io/prune: disabled